Malware Analysis Report

2024-09-09 13:39

Sample ID 240606-byjz3adg8z
Target 99b7db88471aaf69942819f40f9a4f38_JaffaCakes118
SHA256 a65ce10c3d8db06c2e451c837766ed2c8e517e4b953e940aca5c2e6d1d3faf88
Tags
banker collection discovery evasion persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

a65ce10c3d8db06c2e451c837766ed2c8e517e4b953e940aca5c2e6d1d3faf88

Threat Level: Likely malicious

The file 99b7db88471aaf69942819f40f9a4f38_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion persistence stealth trojan

Removes its main activity from the application launcher

Queries account information for other applications stored on the device

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about running processes on the device

Queries the unique device ID (IMEI, MEID, IMSI)

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Requests dangerous framework permissions

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-06 01:33

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 01:33

Reported

2024-06-06 01:36

Platform

android-x86-arm-20240603-en

Max time kernel

178s

Max time network

177s

Command Line

com.dwob.qwlv.wigm

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.dwob.qwlv.wigm/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.dwob.qwlv.wigm/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.dwob.qwlv.wigm/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.dwob.qwlv.wigm

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.dwob.qwlv.wigm/app_mjf/dz.jar --output-vdex-fd=47 --oat-fd=49 --oat-location=/data/user/0/com.dwob.qwlv.wigm/app_mjf/oat/x86/dz.odex --compiler-filter=quicken --class-loader-context=&

com.dwob.qwlv.wigm:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.61:80 ip.taobao.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.61:80 ip.taobao.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
CN 59.82.122.61:80 ip.taobao.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.74:443 semanticlocation-pa.googleapis.com tcp
CN 59.82.122.61:80 ip.taobao.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.122.61:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.122.61:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.122.61:80 ip.taobao.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp

Files

/data/data/com.dwob.qwlv.wigm/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.dwob.qwlv.wigm/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.dwob.qwlv.wigm/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.dwob.qwlv.wigm/app_mjf/dz.jar

MD5 9b47e78a6ff90cce5755ce4742047627
SHA1 831b24aa9e116eb8d7065efd430088d419dfd6c7
SHA256 30d7699b73fd7f276945415c405c12bff69c5958d12f56265a768443f6fd8cae
SHA512 4587a5b26f13cbd0524eade71ed29203fc55029fe150fce850016aa7d9c578623cdc4b6a551bed3dec9e31a39563f8927cfcc9d21e2d83c2c781808b958446fc

/data/data/com.dwob.qwlv.wigm/databases/lezzd-journal

MD5 660b2a2d201ed6008dbd8389bb472520
SHA1 62b8b59abf1be6857b4cc046a76f03f1b7f83dbb
SHA256 a7c3e5425b49abcbc9549974a4368f1a2be6e445e85e8d1f1f3d1f327a53bf4a
SHA512 28f2f30a8ad8366f7eeb1ce964434f75d83cb0dc5fdefd6b93c81f6becfc8d3140ff2899e06e3c4272128323e1ecbf5865ae0b98ba5362aa82df44a4532d5d36

/data/data/com.dwob.qwlv.wigm/databases/lezzd

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.dwob.qwlv.wigm/databases/lezzd-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.dwob.qwlv.wigm/databases/lezzd-wal

MD5 626e0616258983ff1ceb8bd9418b92d4
SHA1 4d8dc893471e6d4c78082e2440fa2206c18009b4
SHA256 688ec6266ee884b873f6e2156e3b71fc553c7e71a61557fcdb7ea24f17843abd
SHA512 e82582d1d9d55b335611c46c53e560283e0c96171512fa24617f294f82f721be9777c0b2a4364cc76e5100c4c178a37a5477157dca6dd2bd0b6af99657257f88

/data/data/com.dwob.qwlv.wigm/files/umeng_it.cache

MD5 3bbb8ca87b6be38e1002cee609bfc464
SHA1 ed04eb49b64f3c229442b532222d917e100e6e5b
SHA256 817c727feb8baf1deecfb7a7c91a3f42806df719b0e8f4a7527052f0bd1b67b7
SHA512 3e352761a8e1715b2b5a39433d1a4eee923649f8d019b0c558fe414b880dbc8eb19750583e94cee8ee4c6e54019a08e7b11a0a98379e3508b61261c0c201ed10

/data/data/com.dwob.qwlv.wigm/files/.umeng/exchangeIdentity.json

MD5 e6ecc12f0f4fc39672aad130f2005358
SHA1 53d87faa3fae0c7a2b95e4f6b62b1e1475b8fbb1
SHA256 c2794e61e19d29b5b7d7d031e1ba982eece917a1acaee7ff32a72d6e6f34cf42
SHA512 c6c24a4c12a7fc445eccbd6ada7e12aac48898eb3b4a1e122db88e0f03583348ad53d70330bc7f857511637e04742a2c0f09782d45ea8f9538f1a65e41de1f31

/data/data/com.dwob.qwlv.wigm/app_mjf/oat/dz.jar.cur.prof

MD5 1ea39eaa8f4460fd72b2dbe255983cc9
SHA1 39dbde1e442d8a81fdda8484b63af5a6d50c77ba
SHA256 db56e380cd9cb8b4ba74f37eb6b2a7f18c903a765d444716a7bfac49152f027e
SHA512 b2403592f0c650e8b7ef3d366e032f7b9c292f9d3bd938409e5cad2ee220b9b3e0ab2dce5632ce0af37a5d705303d86a2064eec4803352b92bca848e23d807fc

/data/data/com.dwob.qwlv.wigm/files/.um/um_cache_1717637706920.env

MD5 7989936fc789f056532ccbe184a42dfc
SHA1 f5ac33d4c67d2ceba4b08d2e9e17aa58149ed407
SHA256 a815207683fc3b71ec275d847fdeeea1166f902cf6f4f86c6047c4f88d1daef9
SHA512 ab356c6a1a309dab65568e2bf16029dee73c078c451ed27b085ccd5146a970508b399756122f582269489a8724c0d3c351d1be0c62e8b032230319b6db8dc335

/data/data/com.dwob.qwlv.wigm/files/mobclick_agent_cached_com.dwob.qwlv.wigm1

MD5 1915acbe605535fd78dd2aeb3052b96f
SHA1 565c52d923c775d9aaa2e7cf4757877a568a7347
SHA256 f3d8da56e6e6ea883cafc39cbcf034ae663b2c5ae35a9d5cabb1de3fae9c68ba
SHA512 67bac60b9f253870e8f587dec34e56206b262814f7c885c4c96e0f98d3093ecdf19f88f456d86aba0ae1aa5fe1531ae781f1e7acdb365eabab7f55693e5414f1

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 01:33

Reported

2024-06-06 01:36

Platform

android-x64-20240603-en

Max time kernel

178s

Max time network

182s

Command Line

com.dwob.qwlv.wigm

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.dwob.qwlv.wigm/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.dwob.qwlv.wigm/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.dwob.qwlv.wigm

com.dwob.qwlv.wigm:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.61:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
GB 142.250.187.234:443 tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.61:80 ip.taobao.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.180.10:443 semanticlocation-pa.googleapis.com tcp
CN 59.82.122.61:80 ip.taobao.com tcp
GB 142.250.187.234:443 semanticlocation-pa.googleapis.com tcp
CN 59.82.122.61:80 ip.taobao.com tcp
GB 172.217.169.14:443 tcp
GB 142.250.187.226:443 tcp
GB 142.250.187.228:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
US 1.1.1.1:53 o.pmuro.com udp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.127:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.122.127:80 ip.taobao.com tcp
CN 59.82.122.127:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp

Files

/data/data/com.dwob.qwlv.wigm/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/data/com.dwob.qwlv.wigm/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.dwob.qwlv.wigm/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/data/com.dwob.qwlv.wigm/databases/lezzd-journal

MD5 fbb9848e0f701366af35a2b19e527eb5
SHA1 a54e0f31932432f77db542261c61804e48e5811f
SHA256 1c181bd7a73e56fac387a60050fc433dd41e5a44e840c622df3c27e4732b171f
SHA512 81e505bf0f806c564a96f444e949197f2a865d22f3566cd74825469c812cab66a46daeee1aa7fcc03343e957914d091cba38bea48778b5bf3e7648ed54719df0

/data/data/com.dwob.qwlv.wigm/databases/lezzd

MD5 dae68dcffc3d522a79f98ebbc3b6d457
SHA1 6df5dce9a50f12044a2d20b8d1742ae47b82ee03
SHA256 56cf91ca198812e0ef9ba4af0e96c08a32e24c917bcf2250bdebdfd7fd6f5286
SHA512 23b76f988399e9c9e4f5a7e8d19ecb765abdb115b0beee35f8ca9d221bbc5ee79f0152fac4261cc91eb9e7f874b5c6e9bff2dbb1812d31412d506cf83c16adcd

/data/data/com.dwob.qwlv.wigm/databases/lezzd-journal

MD5 be1ba59983bd9d919765a8385fb75ee5
SHA1 2e8ced0174b526fb7820e206c8973f1a38f3fe67
SHA256 9af9772e28f026a1f0f8e8916cda232c5663052e00544f2957fe78013b650c57
SHA512 732bf88a22c1384f3eac55096b83cd70d590dbd0b9d8127869e97ea4a7c59e0822187d67dd4a9497cb5bb9200e821e31289bf9cded95d1fc5a44a4e24a674559

/data/data/com.dwob.qwlv.wigm/databases/lezzd-journal

MD5 bf90759baef450eb2da94e21c02a0af5
SHA1 a8744d9ce623c1a3c97dcc199f9475e3fdf8078d
SHA256 a8b6100c1048dfc018946eb1957dacb3095d3ae51a353589f7fa8c4bb698ff6a
SHA512 8cc6bcf96fa0e1aea635d41852e5e63295077ed3020919eddd6e798734d2bc855ce7482db6ca31f53c8dd8c1c80e2c1e2a55b4c656c7dc42e06960d58cf9621e

/data/data/com.dwob.qwlv.wigm/databases/lezzd-journal

MD5 3541c059326f067e773f0fe070d7e9a4
SHA1 c4c0603749e0cc91e7a1434a8bdc13b7650f2814
SHA256 ccd948104a6e8547ba7df06265329870d5b1183e1e691de9ed639fcfe74f485d
SHA512 1bb730e7cc03287d16d31cb6b95ede05c926782869a62322b83fd7eb6a8e4de1ed0089eb90bf063c86586f761af11674a398db6da11aa61ec2efaf1291faa002

/data/data/com.dwob.qwlv.wigm/databases/lezzd-journal

MD5 f1b9edb01d635d7102585d7f90affa26
SHA1 1f8be84e1e5efac8c0eeb5b168a0925c46cc4a2b
SHA256 dd3bce054a0a00c1007970540ca36de607a400368e5962df0a5348c031d7a798
SHA512 e36d9147c051d83c12d1fdec213e9c02b21c8ec49a805fc57a9ac9fd8fac82510a94aa0a63dc2894cd5e0c70a0cf5b4a10f4f0b260dc65d8ad7ccf693670706c

/data/data/com.dwob.qwlv.wigm/databases/lezzd-journal

MD5 6c4e9273d6ea46726066d4e1076f9c17
SHA1 6753b722b4f0cdf45201b4a5d32b41641c00391f
SHA256 b924f6a57e437f1d5e2c1f8ea77d408caff697b3a7a6f31a3a387b824b41d5dd
SHA512 69bd1d61c0f54de2b7fcfa16c2cd8995bc022df4e2ff80d92a9bc9f6869e65edf6f8ec0b0ccae61c89a2a7f368c5543402264052ddb5fac1587ebeffcbc94510

/data/data/com.dwob.qwlv.wigm/files/umeng_it.cache

MD5 4e3a801aaedaadb1f46e3dd358f5cf2e
SHA1 69f9c0918f1fb54e2a8c08a0583451bbe74b5fff
SHA256 906498ba4a292399dc6a58d721b18eabceb9975dbf842cbfeb71d576d9fc11b9
SHA512 e107ab48f5a41e19383cf5c2f6117e5bd587521cc6803f31fe54ca627f78a818b6c671e8bf91befbd885f7c00009d27872316e61a41cfa2a982a42625f70a3ae

/data/data/com.dwob.qwlv.wigm/files/.umeng/exchangeIdentity.json

MD5 5f64feeebc851c83668283f8232329bd
SHA1 777f53452f7e976ff060c418a63d49c158e9cc88
SHA256 14f2245c43109b034e47cc584a98ce9a05ee8b17edde8947bf6fe79a894dc288
SHA512 c36d443663b70d9e5e891f29bfb76651d092e486f5a882f8e48a8dd377effedea07c86745c7ebdf222c55c19a3c6322f598f2124500a76ee62ab14e2ad02e372

/data/data/com.dwob.qwlv.wigm/files/.imprint

MD5 110db57693fc688a6853ae1c0d743d8f
SHA1 b57f77c43e069303343770089d060ff6090391d1
SHA256 9d81fece09d532a5180cac2b67bbcebcfbdbb50a2d61fc37a5845bdc6eca831b
SHA512 7aed59ebba0c965794e927f1194aac5e40cee9d28913234db5ea77551c828160d97cfb4f56e151aaa0b642a0f154a2baa582a7111d428d25dc12960ff97436e4

/data/data/com.dwob.qwlv.wigm/files/umeng_it.cache

MD5 ae91f7517960c1302c8dee3b6b669095
SHA1 2918eee284fd8781b74465ecefc2001b997d673d
SHA256 550f8928bc1dd3e190c5fd2bb7157142886175e935e4a44e25d65d7d768e9868
SHA512 bcdfb36c10ec3596dffed552eaa2c8abd19073f3cc04de740ebbd5584fbe1607b9ec5353b1f9bc733851129f77072cc4f07781ccb5bfe24f4e3593dd5c374bd3

/data/data/com.dwob.qwlv.wigm/app_mjf/oat/dz.jar.cur.prof

MD5 a87dc1222e6546c25bd22b812f178fe6
SHA1 a7ff038b70956810393286e7548b0520db8b0fec
SHA256 6c57fb585b9619a0b77b41356f48ffe452d24bc8824eb273facb7952e208997f
SHA512 4fd4fc5fb5cad953ac9e1240526c3ad3f864d197b08bf98713b70992ba1d5def64aa3d104786fd16828cb5e064cd931893c11189b4f8d82bc701d01a62bb4d1d

/data/data/com.dwob.qwlv.wigm/files/.umeng/exchangeIdentity.json

MD5 11714c60af36f3c6b5e1e2d2df387ace
SHA1 3eedef4496c1cc3e130f9f7358e444f7141e3b22
SHA256 82e16be2b80eea68dad37b89834e278c9285e7d010df699ad694b2c29ae9ba2b
SHA512 191471f53e41d676f6fc4454c82f3b4ac96b18a2536455e76a61a6ca3b137aa888ad8b6d3e62cf1ac9abf8ff68cc69814bb813d45295a2b45c9a3fbb5af09034

/data/data/com.dwob.qwlv.wigm/files/.um/um_cache_1717637768467.env

MD5 629d37ec51e101b6b4e232c2fa87ce6b
SHA1 249bef2540414392bb886b8ef9a42364d256cc45
SHA256 6d8b2745a762b6f5d244342fded42db93e33ae1f7ae25c4e84e9ff4e496862b4
SHA512 8387b1cd85b1b88cf19c0f625e95d9d8cde4c8bf0a9d4f92b6e8e960c2900b45b659d1a49e14f0a78964a19301934f957c7f4f5d1f4a39162529b2ee77fec867

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-06 01:33

Reported

2024-06-06 01:36

Platform

android-x64-arm64-20240603-en

Max time kernel

179s

Max time network

178s

Command Line

com.dwob.qwlv.wigm

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.dwob.qwlv.wigm/app_mjf/dz.jar N/A N/A
N/A /data/user/0/com.dwob.qwlv.wigm/app_mjf/dz.jar N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.dwob.qwlv.wigm

com.dwob.qwlv.wigm:daemon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
GB 216.58.201.106:443 tcp
GB 216.58.201.106:443 tcp
US 1.1.1.1:53 ip.taobao.com udp
CN 59.82.122.145:80 ip.taobao.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 c.ioate.com udp
CN 59.82.122.145:80 ip.taobao.com tcp
CN 59.82.122.145:80 ip.taobao.com tcp
CN 59.82.122.145:80 ip.taobao.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
US 1.1.1.1:53 o.pmuro.com udp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 54.80.154.23:80 o.pmuro.com tcp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 59.82.122.145:80 ip.taobao.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 59.82.122.145:80 ip.taobao.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 59.82.122.145:80 ip.taobao.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.228:443 www.google.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
US 1.1.1.1:53 alog.umeng.co udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.130:80 alog.umeng.com tcp
CN 223.109.148.179:80 alog.umeng.com tcp
CN 223.109.148.178:80 alog.umeng.com tcp
CN 223.109.148.141:80 alog.umeng.com tcp
CN 223.109.148.177:80 alog.umeng.com tcp
CN 223.109.148.176:80 alog.umeng.com tcp

Files

/data/user/0/com.dwob.qwlv.wigm/app_mjf/tdz.jar

MD5 293ea5f01e27975bed5179ba79d80eac
SHA1 c5b0806a537fd1cb753e11f1a9684933317716b8
SHA256 8d86de68978e859c8262c0d0e932d3a1d57457b57ce88940620befab1bcead5b
SHA512 c7cd2881367fdf95ec4151449b359decdae1adf136388edbaaa9880c7ebd14fb3579e7a15600a856988c55d207f7ba1fd7d938f4d9168aba8a7ff1c3029d6b53

/data/user/0/com.dwob.qwlv.wigm/app_mjf/ddz.jar

MD5 23ba0b249042b7ba33e92c0199b0ea4a
SHA1 99b13ee9f7307316c2337953fceed87e9942b794
SHA256 1ed0751a141b17c80a921f5e8ba90c66a56b8e73156f5cbe133b57d550ca4ef2
SHA512 0cc88e2b7c2ffa4db274d690e3bf12098ec804b9fcd9e92b57d2fa0c4161031d2e84c91d86ba8e2b6e8b4837852defa099333f76bcd454c67b31632d0cdd4861

/data/user/0/com.dwob.qwlv.wigm/app_mjf/dz.jar

MD5 a54a18b58c6720991c021f433dfb2a46
SHA1 d2ffa07919f92b6e04914e39843f08fdb2a75b68
SHA256 3dd88e4418bd4271af728fc6436c873a55e6b6f5c8ed241ee2cb0ee24fe3f7f3
SHA512 e4a51b2462b247b1e5fbd947d06a2eba334f18398daadacbabcb4185f4255f05c22d656a8837a6088ffbdcaedfbdfbd8281c5dad4880c4e5021571e3fefc88cc

/data/user/0/com.dwob.qwlv.wigm/databases/lezzd-journal

MD5 8d7e871511ac64bf2f34938191a35186
SHA1 c42637512340df4ed4d494e5878c592fe07ef79b
SHA256 1915edb656cd2dcfeb549e307dea113d55e1139abaf04cdfdb4f60453307d24e
SHA512 eab6b38fd879a2f499fdb9620a738ff60508f7cc97201eb9f460573bd69f2d2e115760fcd0ed864a24eb6cd5abc8dcb4ce731e0875d5b09c4f63513ef8db41ef

/data/user/0/com.dwob.qwlv.wigm/databases/lezzd

MD5 fdb8a92e5060ce104e8f0faca55a47ce
SHA1 270d7ca30673e18cec1d2b9add71cba96dc426fe
SHA256 194b40a3911f23ea75c8f4543a13c1236ae15b02c0228a080615a1012f60e05a
SHA512 ad962634ddd027403b5677a9ca979763071ef4a9b6f0127b0c1fd4b3a8bc51f5c4fa71245c301d0dbbf60e18953a94621715ce3ca4addef82b18030e3d718122

/data/user/0/com.dwob.qwlv.wigm/databases/lezzd-journal

MD5 c8b2700ba9f221e56a86d63e1fb95119
SHA1 9ce93e69a2561ebb0608751c881458752187387e
SHA256 70ef990a21e2354f6cdb6bfd65c9a74b1a3a5a80d2f57d2a3edcdf1334d889fb
SHA512 a0c396998cf28936bd639a5a18039a7dfca2a2d1ac38a216045d394421a1aae13490a4a903db8d3ca473babacca9f6868506a2bdc8df2095b1651c5c8bb764b0

/data/user/0/com.dwob.qwlv.wigm/databases/lezzd-journal

MD5 17af5eeb34665972ba9fc0484c34f955
SHA1 82a308bb83896dc5afda9b4062fe9d284e85c78b
SHA256 a11a88969407218334bcb35fed14c01630306fce4b769148ea830ea15d385247
SHA512 ab24c4d5e88e0824a19d652bb4096e64069214abf56a2ff08a1ac9aac377ac493352240cb384a796e276712aab9baf5e9112caad682e1ac3fc3a173d0b1fb600

/data/user/0/com.dwob.qwlv.wigm/databases/lezzd-journal

MD5 fb6b8f97501d0744e9a235c1da23a7be
SHA1 cd50cbac5f87017586906300b794430c6726b467
SHA256 b90de535fdde371bc04cd590d60606634c82b3a1da543e77b3020c0406aee626
SHA512 808c439afacc75abdb50ff8ff2e8796c54309e1e30b4c626d90c6556f0366b8017a079e0c24001769e00c591adb40a35760e19e06bc41ba4b4d5f3ebd50f7631

/data/user/0/com.dwob.qwlv.wigm/databases/lezzd-journal

MD5 0f0200c3befc9553b12b6658c639a0a5
SHA1 45742ea58fa7db07c255c09a6457b29102c06973
SHA256 af95f90ec8797b94cde2e89d564dcc0e0f7f9d36444308a39e88bd285e86127b
SHA512 3688cbb82ec90a72da7185069007796c4d798e2851cd8fd58331b11648fc2815faa4faa03e01f06cd7fc3e25d6491f2fbc5cb094e47273d2460d8d1af7e728dd

/data/user/0/com.dwob.qwlv.wigm/databases/lezzd-journal

MD5 cb29985f92b2d07a00a4f1e68d0c2646
SHA1 f1dac09919ff9583e3fe52770e45938be4e32eb9
SHA256 770f86b66e4fe241a0099e4ce75bf754009462c3cf6e928a29f5f4db4872b10c
SHA512 33dde85b56b1d23379b024cbf61b84a71f860d2a3819895a9bd1dc0d2dff101eaa15d24f131e37c1421127a49a7a68a8fb6b279abacbb5416ab382e839a4067a

/data/user/0/com.dwob.qwlv.wigm/files/umeng_it.cache

MD5 25c29748f0af3045874df095f0b42c99
SHA1 d3797ec307f60c25a3666ef7b077136173dd6e70
SHA256 6548d09be9221f72a700dd3bcc6999ab136e32554c5864d5061e0be1c4b069aa
SHA512 b59a67eda54b3c4485cab3f2d4ca2e6c8057f48c4aac48cbb05881b46436a786a033b08470393e09c35c441621c7ee10834fff25b51e8eebf94551c79341c4e3

/data/user/0/com.dwob.qwlv.wigm/files/.umeng/exchangeIdentity.json

MD5 39715274a7d9b85d534a96c2a36a013e
SHA1 399a9169d2f56af0e1b765a926ab099acae08ef3
SHA256 2b559cf03335d57077f0d35cc7861ae134d2c4fe7ad09f53bc4d1159f67b6af8
SHA512 819b800955e0c40246d2021bbfd596c6fecae6625a51da33b0bded686c90b5aee797366808f383d01ee6692d87378a4dd77a989b1c8d8f57dd2393f84761dddd

/data/user/0/com.dwob.qwlv.wigm/files/.um/um_cache_1717637707663.env

MD5 d6b083c09dc7000e0886fceae2f039f7
SHA1 e4797e55cc97a7fec65c85820c1e52ef470fb8a3
SHA256 e45e03f9edabb0f70e86ca38db68ae6f999b4b929c459f9372e4c8ebc41b3c17
SHA512 22de24df43f0ad23d151d1769f7b18426ef282459e362f42a727f58e8718ebafd5aec8d1e96e3d5d1ac7aa19c2486666940593aedc64b7326ee53798c5569ab2

/data/user/0/com.dwob.qwlv.wigm/files/mobclick_agent_cached_com.dwob.qwlv.wigm1

MD5 bfabf1a2c6c624cabe477279bb7e773b
SHA1 378c6c65c3cafb001a8bf3d66d2ce0363cecdf86
SHA256 ddf08026e31e87caf3504305319f97baf9f6d952bf4a54d5cdf1f3b061d68eee
SHA512 9fb921b83e8360cd77c523801088257d5c8fbea6776df7d07a3969e755163246ea17d80834ed5e1c501bc50f3c9c93a35d4b9e1abf36047f3fe0d5a652eee24d